Hi. I'm implementing an Access control system on a Web Application with Tomcat
As of now the login.jsp passes the username and the password to the Servlet that manages the login in clear text. I would like to add security in the login process using SSL to encrypt the data. How can I make the user enter the login.jsp using SSL? Tomcat is already configured for SSL support (using https://URL/login.jsp works). I want to use SSL only for the login process (so I would like to connect to login.jsp via SSL switching from http to https automatically and then revert to http when done) . I have two problems in doing this : 1) I don't know how to automatically switch to SSL when login.jsp is requested. I've tried by setting security-constraint in the web.xml and somehow works (when login.jsp is selected it automatically switches to SSL), but then it doesn't turn back to clear HTTP and remain in SSL for the other pages to. 2) I heard that switching from SSL to non-SSL connection invalidates the current session. This is a problem, because my login implementation uses the session to store login details. Do you know solutions to this? Thanks for your help. I've spent many hours in trying to understand what to do, but when it comes to SSL the informations are quite confused. Marcello Maggioni
